feat(cloudfront): add new check cloudfront_distributions_s3_origin_non_existing_bucket
#4996
+274
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…o PRWLR-4298-add-new-cloud-front-check-to-ensure-distributions-do-not-point-to-non-existent-s-3-origins pull changes in cloudfront service
github-actions
bot
added
the
provider/aws
sergargar
reviewed
Sep 17, 2024
| "SubServiceName": "", | ||
| "ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id", | ||
| "Severity": "high", | ||
| "ResourceType": "AWSCloudFrontDistribution", |
There was a problem hiding this comment.
Suggested change
| "ResourceType": "AWSCloudFrontDistribution", | |
| "ResourceType": "AwsCloudFrontDistribution", |
sergargar
reviewed
Sep 17, 2024
| @@ -0,0 +1,34 @@ | |||
| { | |||
| "Provider": "aws", | |||
| "CheckID": "cloudfront_s3_origin_non_existent_bucket", | |||
There was a problem hiding this comment.
Suggested change
| "CheckID": "cloudfront_s3_origin_non_existent_bucket", | |
| "CheckID": "cloudfront_distributions_s3_origin_non_existent_bucket", |
sergargar
reviewed
Sep 17, 2024
| for origin in distribution.origins: | ||
| report.status = "FAIL" | ||
| report.status_extended = f"CloudFront Distribution {distribution.id} has a non-existent bucket as S3 origin: {origin.domain_name} or it is out of Prowler's scope." | ||
| for bucket in s3_client.buckets.values(): |
There was a problem hiding this comment.
Can you extract the bucket name from the domain name and check if it exists in the dictionary without iterating the whole dict?
sergargar
reviewed
Sep 17, 2024
|
|
||
| for origin in distribution.origins: | ||
| report.status = "FAIL" | ||
| report.status_extended = f"CloudFront Distribution {distribution.id} has a non-existent bucket as S3 origin: {origin.domain_name} or it is out of Prowler's scope." |
There was a problem hiding this comment.
Suggested change
| report.status_extended = f"CloudFront Distribution {distribution.id} has a non-existent bucket as S3 origin: {origin.domain_name} or it is out of Prowler's scope." | |
| report.status_extended = f"CloudFront Distribution {distribution.id} has a non-existent S3 bucket {origin.domain_name} as the origin or the S3 bucket is out of Prowler's scope." |
sergargar
reviewed
Sep 17, 2024
| "CheckID": "cloudfront_s3_origin_non_existent_bucket", | ||
| "CheckTitle": "CloudFront distributions should not point to non-existent S3 origins.", | ||
| "CheckType": [ | ||
| "NIST 800-53 Controls" |
sergargar
reviewed
Sep 18, 2024
...ions_s3_origin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.py
Outdated
Show resolved
Hide resolved
|
Please, check if the S3 bucket exists in AWS with something like: If the bucket does not exist, you will receive a |
…sure-distributions-do-not-point-to-non-existent-s-3-origins
sergargar
reviewed
Sep 20, 2024
...gin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.metadata.json
Outdated
Show resolved
Hide resolved
sergargar
reviewed
Sep 20, 2024
sergargar
reviewed
Sep 20, 2024
sergargar
reviewed
Sep 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
Configuring Amazon CloudFront distributions to point to non-existent S3 origins poses a significant security risk. If the S3 bucket no longer exists, a malicious third party could potentially create a bucket with the same name and serve unauthorized content through your distribution. This could lead to data integrity issues and potential exploitation.
Ensuring that CloudFront distributions are properly configured to point only to valid and existing S3 buckets is essential for maintaining a secure and controlled environment.
Description
The
cloudfront_distributions_s3_origin_non_existing_bucketcheck ensures that CloudFront distributions are not pointing to non-existent S3 buckets. If an origin is linked to a non-existent bucket, the check fails, as it increases the risk of unauthorized control over the distribution's content. This check ensures that all origins are correctly configured to mitigate potential security risks.Checklist
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.